Tuesday, November 9, 2010

Recovering deleted files with Foremost

Originally developed by the United States Air Force Office of Special Investigations and The Center for Information Systems Security Studies and Research , foremost has been opened to the general public.

foremost  - Recover files using their headers, footers, and data structures

For more information: man foremost

Audit your drive for recoverable files:

# foremost -w -i /dev/sda -o /recovery/foremost 

Have foremost recover pdf files: (example)

# foremost -t pdf -i /dev/sda -o /recovery/foremost

complete list of recoverable filetypes for usage with the "-t type":

jpg Support for the JFIF and Exif formats including implementations
bmp Support for windows bmp format.
exe Support for Windows PE binaries, will extract DLL and EXE files
along with their compile times.
mpg Support for most MPEG files (must begin with 0x000001BA)
riff This will extract AVI and RIFF since they use the same file for‐
mat (RIFF). note faster than running each separately.
wmv Note may also extract -wma files as they have similar format. mov
ole This will grab any file using the OLE file structure. This includes PowerPoint, Word, Excel, Access, and StarWriter
doc Note it is more efficient to run OLE as you get more bang for your buck. If you wish to ignore all other ole files then use this.
zip Note is will extract .jar files as well because they use a simi‐
lar format. Open Office docs are just zip’d XML files so they are extracted as well. These include SXW, SXC, SXI, and SX? for undetermined OpenOffice files.
cpp C source code detection, note this is primitive and may generate documents other than C code.
all Run all pre-defined extraction methods. [Default if no -t is specified]

